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In the Claims: 

1. (Original) A method for intrusion detection of network traffic 
comprising: 

storing a data file comprising data defining one or more signature definition 
and one or more parameters and associated values; 

generating, for each of the one or more signature definitions, an inspector 
instance based on the data file; and 

executing, for each of the one or more signature definitions, the generated 
inspector instance to detect network traffic matching the signature definition. 

2. (Original) The method of Claim 1, and further comprising: 
storing a user data file comprising signature definitions, each modified 

signature definition comprising a signature identifier associating the modified 
signature definition with a corresponding signature definition stored in the data file; 
and 

generating, for each of the modified signature definitions, a revised inspector 
instance based on the modified signature definition and the corresponding generated 
inspector instance. 

3 . (Original) The method of Claim 1 , wherein the data file comprises, 
for each signature definition, data comprising: 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the 
signature. 

4. (Original) The method of Claim 1, wherein each signature 
definition is stored in a separate line of the data file. 
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5. (Original) The method of Claim 2, wherein the one or more 
modified signature definitions comprises modified values for associated modified 
parameters and no values indicative of the parameters in the corresponding signature 
definition that are not modified. 

6. (Original) The method of Claim 1, wherein the data file comprises 
a file received from a sensor provider. 

7. (Original) The method of Claim 1, wherein the data file comprises 
a file generated by a user. 

8. (Original) The method of Claim 1, wherein receiving the data file 
comprises receiving the data file at a sensor configuration handler. 

9. (Original) The method of Claim 1, and further comprising 
receiving configuration data from a user and storing the received configuration data in 
a user data file. 

10. (Original) The method of Claim 1, and further comprising: 
storing a user data file comprising one or more user-defined signature 

definitions, each user-defined signature definition comprising a signature identifier 
not associated with any of the signature definitions in the data file; and 

generating, for each of the user-defined signature definitions, an inspector 
instance based on the user-defined signature. 

1 1 . (Original) A method for use in intrusion detection comprising: 
storing a default signature file defining one or more default signatures; 
storing a customized signature file defining one or more custom signatures; 
automatically generating, for each of the one or more signatures defined in the 

default signature file, executable code operable to detect intrusions associated with the 
default signature; and 

automatically generating, for each of the custom signatures, executable code 
operable to detect intrusions associated with the custom signature. 
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12. (Original) The method of Claim 10, wherein storing a customized 
signature file comprises storing modifications of one or more of the default 
signatures. 

13. (Original) The method of Claim 10, wherein automatically 
generating, for each of the one or more custom signatures comprises automatically 
generating, for each custom signature, executable code operable to detect intrusions 
associated with the custom signature based on the generated executable code of an 
associated default signature. 

14. (Original) The method of Claim 11, wherein the one or more 
custom signatures comprises modifications of the default signatures. 

15. (Original) The method of Claim 11, wherein generating, for each 
of the one or more default signatures, comprises generating executable code 
associated with the default signature based on an inspector shell. 

16. (Original) The method of Claim 15, wherein the executable code 
associated with the default signature is operable to compare a plurality of parameter 
values to a plurality of parameter values defined by the default signature. 

17. (Original) The method of Claim 11, wherein the default signature 
file comprises, for each default signature; 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the 
default signature. 
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18. (Original) The method of Claim 11, wherein the custom signature 
file comprises, for each signature: 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the 
default signature. 

19. (Original) A method for use in intrusion detection comprising: 
providing a sensor having a plurality of defined signatures; 
communicating to the sensor a desire to create a modified signature from a 

signature to be modified; 

receiving from the sensor data indicative of parameters and associated values 
for the signature to be modified; and 

providing to the sensor a modified value for at least one of the parameters to 
create a modified signature. 

20. (Original) The method of Claim 19, and further comprising storing 
data associated with the modified signature in the sensor at a location separate from 
the associated unmodified signature. 

21 . (Original) The method of Claim 20, and further comprising storing 
in the sensor the name, signature identification number, and one or more parameters 
and associated values for only the modified values for the modified signature. 

22. (Original) The method of Claim 19, and further comprising 
communicating to the sensor the name of an engine associated with the signature to be 
modified. 

23. (Original) The method of Claim 20, wherein storing data 
associated with the modified signature comprises storing a plurality of parameter 
names and associated values. 
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24. (Original) The method of Claim 19, and further comprising 
selecting a signature to be modified from the plurality of defined signatures. 

25. (Original) The method of Claim 22, and further comprising 
receiving a list indicative of all defined signatures associated with the engine. 

26. (Original) The method of Claim 19, wherein providing a sensor 
having a plurality of defined signatures comprises providing a sensor having a default 
data file defining the defined signatures. 

27. (Original) The method of Claim 26, and further comprising 
updating the default file. 

28. (Original) A system for intrusion detection comprising: 

a sensor for detecting possible network intrusions, the sensor comprising: 

one or more engine groups each associated with one or more network 
detection engines; and 

a configuration handler comprising: 

a default signature file storing one or more signature definitions 
defining one or more respective default signatures for use by the sensor; and 

a user signature file storing a plurality of user-defined 
signatures for use by the sensor; and 

wherein each network detection engine is operable to generate an 
executable code based on either one of the stored default signatures or one of the 
stored user-defined signatures, the executable code operable to detect a network 
intrusion defined by the associated user-defined signature or the associated default 
signature. 

29. (Original) The system of Claim 28, wherein the configuration 
handler further comprising stored modifications to the default signatures. 

30. (Original) The system of Claim 29, wherein the stored 
modifications are stored in the user signature file. 
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31. (Original) The system of Claim 28, wherein the configuration 
handler further comprises a user interface operable to: 

receive an identification of a signature to be modified; 

provide a list of parameters and associated values for the signature to be 
modified; 

receive revised values for one or more of the parameters; and 
write a revised signature to the user-defined data file. 

32. (Original) The system of Claim 28, wherein the configuration 
handler further comprises a user interface operable to: 

provide a list of possible parameters for a particular engine; 
receive a plurality of values for one or more of the parameters to define a user- 
defined signature associated with the engine; and parameters; and 
write a user-defined signature to the user signature file. 

33. (Original) The system of Claim 28, wherein the configuration 
handler further comprises a reader and dispatcher operable to read data from the 
default signature file and user signature file and transmit the read data to the one or 
more engine groups. 

34. (Original) The system of Claim 28, and further comprising a 
management console associated with the sensor and operable to communicate 
configuration data to the configuration handler and receive configuration help 
information from the configuration handler. 
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35. (Currently Amended) A system for intrusion detection, comprising: 
a sensor for detecting possible network intrusions, the sensor comprising: 

at least one engine; and 

a means for storing default signatures with parameter-value pairs 
associated with the default signatures and user-defined signatures with 
parameter- value pairs associated with the user-defined signatures for defining 
signatures to be detected by the at least one engine. 

36. (Original) A method for use in intrusion detection of network 
traffic comprising: 

storing in a memory a signature definition associated with a signature to be 
detected, the signature definitions comprising: 

an identifier for the signature; and 

one or more parameter-value pairs associated with the signature, each 
parameter-value pair comprising a parameter name and associated parameter 
value; and 

determining, based on the signature definition, the values that associated 
parameters of network traffic must take to meet the signature. 

37. (Original) The method of Claim 36, and further comprising storing 
a plurality of signature definitions in a data file, each- signature definition on a 
different line of the data file. 

38. (Original) The method of Claim 36, wherein each signature 
definition further comprises an engine parameter and an associated name for the 
engine parameter. 

39. (Original) The method of Claim 36, wherein each signature 
definition further comprises an identification parameter preceding the signature 
identifier. 



